VDB
CVE-2020-14295
CVE-2020-14295
PUBLISHED
A SQL injection issue in color.php in Cacti 1.2.12 allows an admin to inject SQL via the filter parameter. This can lead to remote command execution because the product accepts stacked queries.
EPSS 78.69% · 99.1th percentile
Risk Scores
EPSS Score
78.69%
99.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:20.04:LTS | cacti | 0, 1.2.4+ds1-2ubuntu3, 1.2.9+ds1-1ubuntu1 |
| Ubuntu:Pro:18.04:LTS | cacti | 1.1.38+ds1-1, 0, 1.1.18+ds1-1 |
| Ubuntu:Pro:14.04:LTS | cacti | 0.8.8b+dfsg-5, 0.8.8b+dfsg-5ubuntu0.1, 0.8.8b+dfsg-5ubuntu0.2 |
Timeline
- Jun 17, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- Apr 29, 2021 PoC Published
- Apr 29, 2021 EPSS Score
- Apr 30, 2021 EPSS Score
- Jun 2, 2021 PoC Published
- Jun 2, 2021 EPSS Score
- Jun 3, 2021 EPSS Score
- Jul 15, 2022 EPSS Score
- Nov 15, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 26, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-14295 third-party-advisory
- https://github.com/Cacti/cacti/issues/3622 third-party-advisory
- https://ubuntu.com/security/notices/USN-5214-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-14295 third-party-advisory